Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: add new GH policy requirements #248

Merged
merged 2 commits into from
Oct 7, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: 2
updates:
# Maintain dependencies for GitHub Actions
- package-ecosystem: github-actions
directory: /
schedule:
interval: daily

# Maintain dependencies for npm and yarn
- package-ecosystem: npm
directory: /
schedule:
interval: daily
11 changes: 7 additions & 4 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:

permissions:
contents: read

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
Expand All @@ -22,16 +25,16 @@ jobs:
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion:

uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # 4.2.0


- name: Use Node.js 19.6.0
uses: actions/setup-node@v3
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: '19.6.0'

- name: Install truffle
run: npm install -g truffle

- name: Install dependencies
run: npm ci
# - name: Lint source and tests
Expand All @@ -45,4 +48,4 @@ jobs:
# with:
# github-token: ${{ secrets.GITHUB_TOKEN }}
# - name: Reproduce build
# run: npm publish --dry-run
# run: npm publish --dry-run
22 changes: 22 additions & 0 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request,
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
# Once installed, if the workflow run is marked as required,
# PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
name: 'Dependency Review'
on: [pull_request]

permissions:
contents: read

jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion:

uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # 4.2.0

- name: 'Dependency Review'
uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion:

actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4

42 changes: 42 additions & 0 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Scorecard supply-chain security
on:
branch_protection_rule:
schedule:
- cron: '0 0 * * 1'
push:
branches: [ "master" ]

permissions: read-all

jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
security-events: write
id-token: write

steps:
- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion:

uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # 4.2.0

with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest to use the updated version 2.4.0
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0

more details: https://github.com/ossf/scorecard-action/releases

with:
results_file: results.sarif
results_format: sarif
publish_results: true

- name: "Upload artifact"
uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest to use the last updated stable version 2.4.0
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
more details: https://github.com/actions/upload-artifact/releases

with:
name: SARIF file
path: results.sarif
retention-days: 5

- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest to use the last updated stable version 3.26.9
uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9

with:
sarif_file: results.sarif
12 changes: 8 additions & 4 deletions .github/workflows/slither.yml
Original file line number Diff line number Diff line change
@@ -1,30 +1,34 @@
name: Slither Analysis
on: [push]

permissions:
contents: read

jobs:
analyze:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion:

uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # 4.2.0


- name: Use Node.js 19.6.0
uses: actions/setup-node@v3
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: '19.6.0'

- name: Install dependencies
run: npm ci

- name: Run Slither
uses: crytic/[email protected]
uses: crytic/slither-action@6ef3a33e56de4e8f59488cf60858b5c1bf4967c0 # v0.3.0
id: slither
with:
sarif: results.sarif
fail-on: none
target: .

- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@85b07cf1e13dd512be7c27c37a33c5864c252fcc # v2

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest to use the last updated stable version 3.26.9
uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9

with:
sarif_file: ${{ steps.slither.outputs.sarif }}
35 changes: 35 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.3
hooks:
- id: gitleaks
- repo: https://github.com/jumanjihouse/pre-commit-hooks
rev: 3.0.0
hooks:
- id: shellcheck
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: "trailing-whitespace"
- id: "end-of-file-fixer"
exclude: '\.tf\.json$'
- id: "check-yaml"
args:
- "--unsafe"
- id: "check-executables-have-shebangs"
- id: "check-case-conflict"
# Project specific
- repo: local
hooks:
- id: code-style
name: Project Style Check
entry: npm run lint
language: system
types: [solidity]
- repo: local
hooks:
- id: unit-tests
name: Project Unit Tests
entry: npm run test
language: system
types: [solidity, javascript]
52 changes: 52 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# Contributing
## How to contribute to RSK

These are mostly guidelines, not rules. Use your best judgment, and feel free to propose changes to this document in a pull request.

### Code Reviews

Continued code reviews and audits are required for security. As such, we encourage interested security researchers to:

* Review our code, even if no contributions are planned.
* Publish their findings whichever way they choose, even if no particular bug or vulnerability was found. We can all learn from new sets of eyes and benefit from increased scrutiny.

### Code contributions

A code contribution process starts with someone identifying a need for writing code. If you're thinking about making your first contribution, we suggest you take a moment to get in touch and see how your idea fits in the development plan:

* Is it a bug in our [issue tracker](https://github.com/rsksmart/liquidity-bridge-contract/issues)?
* Is it a novel idea that should be proposed and discussed first?

#### Review process

Once you know what to do, it is important that you provide a full description of the proposed changes. You can also send a draft pull request if you already have code to show.

We make use of GitHub Checks to ensure all changes meet a certain criteria:

1. The `master` branch is protected and only changeable through pull requests
2. All unit tests must pass
3. A project maintainer must approve the pull request
4. An authorized merger must merge the pull request

Since this is a security-sensitive project, we encourage everyone to be proactive and participate in the review process. To help collaboration we propose adhering to these conventions:

* **Request changes** only for correctness and security issues.
* **Comment** when leaving feedback without explicit approval or rejection. This is useful for design and implementation discussions.
* **Approve** when changes look good from a correctness, security, design and implementation standpoint.

All unit and integration tests pass without loss of coverage (e.g can't remove tests without writing equivalent or better ones).

All code paths on new code must be unit tested, including sensible edge cases and expected errors. Exceptions to this rule must be justified (i.e. highly similar paths already tested) in written form in the PR description.

In order to ease review, it is expected that the code diff is maintained to a minimum. This includes things like not changing unrelated files, not changing names or reordering code when there isn't an evident benefit.

When automatic code quality and security checks are ready in the pipeline for external PRs, then the PR must pass all PR validations including code coverage (Sonar), code smells (Sonar), Security advisories (Sonar, LGTM).

## Style guidelines

### Pull request etiquette

* Separate your changes into multiple commits
* If your pull request gets too big, try to split it
* Each commit should at least compile, and ideally pass all unit tests
* Avoid merge commits, and always rebase your changes on top of `master`
21 changes: 21 additions & 0 deletions LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
MIT License

Copyright (c) 2024 RootstockLabs

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
9 changes: 5 additions & 4 deletions readme.MD → README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
# Liquidity Bridge Contract
[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/rsksmart/liquidity-bridge-contract/badge)](https://scorecard.dev/viewer/?uri=github.com/rsksmart/liquidity-bridge-contract)

The Liquidity Bridge Contract (LBC) manages the interaction between users and liquidity providers (LP) in order to achieve fast peg-ins and peg-outs.

Expand Down Expand Up @@ -31,7 +32,7 @@ PegIn Quotes consist of:
address lbcAddress; // the address of the LBC
address liquidityProviderRskAddress; // the RSK address of the LP
bytes btcRefundAddress; // a user BTC refund address
address rskRefundAddress; // a user RSK refund address
address rskRefundAddress; // a user RSK refund address
bytes liquidityProviderBtcAddress; // the BTC address of the LP
uint callFee; // the fee charged by the LP
uint penaltyFee; // the penalty that the LP pays if it fails to deliver the service
Expand All @@ -55,7 +56,7 @@ PegOut Quotes consist of:
address lbcAddress; // the address of the LBC
address lpRskAddress; // the RSK address of the LP
bytes btcRefundAddress; // a user BTC refund address
address rskRefundAddress; // a user RSK refund address
address rskRefundAddress; // a user RSK refund address
bytes lpBtcAddress; // the BTC address of the LP
uint callFee; // the fee charged by the LP
uint penaltyFee; // the penalty that the LP pays if it fails to deliver the service
Expand All @@ -82,7 +83,7 @@ PegOut Quotes consist of:
) returns bool success

This method performs a call on behalf of a user.
#### Parameters
#### Parameters
* quote: The quote that identifies the service
#### Return value
Boolean indicating whether the call was successful
Expand All @@ -104,7 +105,7 @@ This method requests the Bridge contract on RSK a refund for the service.
* btcRawTransaction The peg-in transaction
* partialMerkleTree The merkle tree path that proves transaction inclusion
* height The block that contains the peg-in transaction
#### Return value
#### Return value
This method returns the amount transferred to the contract or an [error code](https://github.com/rsksmart/RSKIPs/blob/fast-bridge-alternative/IPs/RSKIP176.md#error-codes).

### **isOperational**
Expand Down
Loading
Loading